General Info Watch the FULL Interactive Analysis at ANY.RUN!

File name

jelma.exe

Verdict
Malicious activity
Analysis date
11/8/2018, 09:56:49
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
gandcrab
trojan
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

6d497a11457912bff6d4b92b5e383037

SHA1

d8e41fdc4acc037ac3f4155321b62e9e14fd9220

SHA256

f6e4a44a1c6bd6a79041746337fbba4e725abb70afb48d676a60dd3ba0c5c65f

SSDEEP

12288:T0HVVyZ0fNuTJHLvpkMPrQ4YVZq3Yu8/Cv9qFe4K:TKHcTFLvprs4YVcIu8sl4K

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Actions looks like stealing of personal data
  • jelma.exe (PID: 3880)
Writes file to Word startup folder
  • jelma.exe (PID: 3880)
Renames files like Ransomware
  • jelma.exe (PID: 3880)
GandCrab keys found
  • jelma.exe (PID: 3880)
Deletes shadow copies
  • jelma.exe (PID: 3880)
Dropped file may contain instructions of ransomware
  • jelma.exe (PID: 3880)
Connects to CnC server
  • jelma.exe (PID: 3880)
Creates files like Ransomware instruction
  • jelma.exe (PID: 3880)
Creates files in the user directory
  • jelma.exe (PID: 3880)
Dropped object may contain TOR URL's
  • jelma.exe (PID: 3880)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (42.2%)
.exe
|   Win64 Executable (generic) (37.3%)
.dll
|   Win32 Dynamic Link Library (generic) (8.8%)
.exe
|   Win32 Executable (generic) (6%)
.exe
|   Generic Win/DOS Executable (2.7%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2018:11:07 22:21:42+01:00
PEType:
PE32
LinkerVersion:
9
CodeSize:
288256
InitializedDataSize:
256000
UninitializedDataSize:
null
EntryPoint:
0x17780
OSVersion:
5
ImageVersion:
null
SubsystemVersion:
5
Subsystem:
Windows GUI
FileVersionNumber:
5.4.7.366
ProductVersionNumber:
5.4.7.366
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Windows NT 32-bit
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Unicode
FileDescription:
Nextstep Textarea Slwcars Seagate Affrdable
CompanyName:
Softplicity
InternalName:
Korn Slves
LegalCopyright:
Softplicity Copyright (c) 2014 - . All rights reserved.
ProductName:
Korn Slves
ProductVersion:
5.4.7.366
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
07-Nov-2018 21:21:42
Detected languages
English - United States
FileDescription:
Nextstep Textarea Slwcars Seagate Affrdable
CompanyName:
Softplicity
InternalName:
Korn Slves
LegalCopyright:
Softplicity Copyright (c) 2014 - . All rights reserved.
ProductName:
Korn Slves
ProductVersion:
5.4.7.366
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000F8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
4
Time date stamp:
07-Nov-2018 21:21:42
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x00046561 0x00046600 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.3967
.rdata 0x00048000 0x00012FA6 0x00013000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.87471
.data 0x0005B000 0x00003D08 0x00001E00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 4.05469
.rsrc 0x0005F000 0x00029940 0x00029A00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 7.59437
Resources
1

28

190

230

2065

2066

2067

2068

2069

2070

3989

4077

4078

4079

4104

4214

30734

32500

AQUA_IDB_OFFICE2007_RIBBON_BTN_PAGE_L

AQUA_IDB_OFFICE2007_RIBBON_BTN_PAGE_R

Imports
    KERNEL32.dll

    USER32.dll

    GDI32.dll

    WINSPOOL.DRV

    COMDLG32.dll

    ADVAPI32.dll

    SHELL32.dll

    ole32.dll

    OLEAUT32.dll

    ODBC32.dll

    WS2_32.dll

    PSAPI.DLL

    MSVFW32.dll

    AVIFIL32.dll

    SHLWAPI.dll

    COMCTL32.dll

    RPCRT4.dll

    UxTheme.dll

Exports

    No exports.

Screenshots

Processes

Total processes
35
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

+
start #GANDCRAB jelma.exe wmic.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3880
CMD
"C:\Users\admin\AppData\Local\Temp\jelma.exe"
Path
C:\Users\admin\AppData\Local\Temp\jelma.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Softplicity
Description
Nextstep Textarea Slwcars Seagate Affrdable
Version
Modules
Image
c:\users\admin\appdata\local\temp\jelma.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winspool.drv
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\odbc32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\avifil32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\odbcint.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll

PID
1392
CMD
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
Path
C:\Windows\system32\wbem\wmic.exe
Indicators
No indicators
Parent process
jelma.exe
User
admin
Integrity Level
MEDIUM
Exit code
2147749908
Version:
Company
Microsoft Corporation
Description
WMI Commandline Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\wmiutils.dll

Registry activity

Total events
125
Read events
94
Write events
31
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3880
jelma.exe
write
HKEY_CURRENT_USER\Software\ex_data\data
ext
2E007200650064006F0064000000
3880
jelma.exe
write
HKEY_CURRENT_USER\Software\keys_data\data
public
0602000000A40000525341310008000001000100C9C9F56953917131333883BCE56093D2252FC4035DFAD193A4D3616F4C927E8166DE1B9EC1CCEB5842CD989DAB3EC31C249209249B1A447E07866C3C4BBB8A5328FE84103DDF59FEAB8A93C0868A68EF7E51ADBFFAB128050DA3F0BB63727B9097C4F03B20814E5A54835546967786B920AFAFA61B3DEF5EEDA5497A363AB0A825AF768783236ED4A6D3391D91770D662B120076EC1DCE761117D0DEDF7DA9AD3B7BADE17B58F267FEE008F70CC0B03EFFFFB1F2EC927A64C3682B4CB62AD78C5EEEA064A2132FEA5E3EE4EEF257B4F7D308A40DFF145754E05E2814D1EB925685C9D0EB254B110FA23D69E5399E660DC73D0B04293DA8718BB046880B1405C6
3880
jelma.exe
write
HKEY_CURRENT_USER\Software\keys_data\data
private
9404000033D7033CF2E5147FE854B0D84B8F804683050D551F46AD368FF505861287E508E42A96A967BA1A95801489FE996DE9FE6168F9DA543AFA1F3A6FCAB005BFD7B08F330626198FE37EA70ED957F2852B7192BFFA2221C79532C400439BA66B72A521F056C76ECC2C39C478DDC8B6DC5A9A49D21308755AE7711909579199E23DC12DF615DB0869C61C5925C06E67C817AEFFBECC4AE5A3710EC1B86E778C86D5378DCD886690445DC90E738A1D2CBE22E30B0BB4B48B745395BE43239C15528406F224663FD1EA25B60C5D7324FBB52984DE7FB97ABAAE98EC3C73E71F8B5DE47429147CECD557988D4D4D2FBA1819C55E5E9B7B20D4C9C8702CEF4D031B6B242C6E32086100A09B800423CB2A8556123982178A614BF6F2E15F83D0B8E35029F36051D6336878A4CAD0BC1B4A71EBB1316285EB323BFAEC6177BB9FFC048244A64DE618A606CA778B108C534424A8EB9F83463E4031206BA38044F0AE0E2B32DAF11F6A5D72B2D9A9F77AE89B62F3BA547F61D411AFF9CDB7CB87DF5C4D69706090304C2310B1A1D0CFBD97382512F1748E5817C87102B24F46895E5D7EB67EA622775A3268B3DEA22E7435DC91C529B40D602A039D840E82082D94E524972E11B58AB00662D4F72F4D985432C56ABDE80C05EF4F01D3FED09A8E944AA2554F6D4D60959878C9A4FA7F816FCEDA6F8D014AFE39921F97F0D2FBEE0902B412E485F42CF8106F2C1B68772F6006EBCBC1BF1536DE71FA1C19F4E2F9C6347E7238F2914CB5E1FC7BE00FB25FD0FC6CA450100EC65E52A265A7E3B06FFCE59F648224DA9BC3A73DD0FA55E211EC84472C22A63371516E54F0E36B19385C864E5A5BA141B6AB18C20447DCA242EE618E0F0706DCBDE97A1841025ECF4A4B686F853E13D4F6C4422E9454F51711480891701557B8F4FC988F06138DFDE1148E2E605CE11EC0A5D17026E83162CAFDD692EF19C9641F680B75B2D48DD9A87BF98B5D91DD56B2E2E9B8F8BFB645E605DF1011AA53D7163FCFFA9947138B1B7A0DAAFAC822486FC3AD44E9290743AB842DE0FF03EF96FFD8E50637F462DC62221E852CEDAF08E92D815C7962A9E0967A088DA5F996A661F04D91966088EFB39BED3001A05D1F7B711C594773855BDF91C98534E6D7351974ECC7A717167FDDEC0FA190EA510854049270369782CAEBAD2DA573F35BB10DF549127C55EAA95916EF1AAFB9C3FF5E0B18CD47DE7DAB6F52C7DF879316AB7FE01908BA2B101703AB874EFB5F241363381E8A1E1B46C3B559030974EDAD9C4DC379B860559D511C902102A42F155F76A923D1B1B9A2F2A8F610E75C51E80C51E8F384A047E51625D17C69B35C431637A3AA9B3A44D8E9858FB24AF2575E7816FDDC63C264520055B9ED0A229932153D90EB310CB45926B596B74AD17A75B8CF76865C0D8137EE9D007EF9E81D6BB1FF3C3E15493FCCBF79C95779268256930E9F4AB0F85005601A278472770F6EA66A6D8704C118C4DA5F914E0F19E69F3678C561DFFF964E15C701195B220A6D737DDC70205D694C03629629C0E2F71722C380114D75F659433C18D5911A8FA319F8D26D656948BB1EB007B672AFE59754E6C6214FE1525DAE47E0EA8975A6B1D70A8E6F1EF20EF1243E6E74F5C0D513A2313234A77A95F4E98AE473DC72989994C2AE9A4C4BBFAD9326466BEB0E27918D72C1E9962981AB5D82FC5B3C3CBB1591DC4DE4F88CD4BDADEA6F8257EBFB2D74D4F4CC850972D00982C6159AB87A0D0C01E19998F9174BF5B4CB637E62385F8C48C16ECDEF557CEDDE14FB3A7E1DA82A28FB07C1A0EBD631A1E6BC4D102AD218FB83DF356A5A5D8E8ECF8788717C1C0C1495743451D693E03FE99597250FD0B704C7854808721DD13065B9289120EB6F8459A81EB76A6D4948CF7EA68E8D9C4468407C78F73A92B3A2C162BE97E02E67DE26B68430DBE943C99593D45E205F2084A53DF5C89C9E61C239436624985EB829843979ADF99AB2B422A1E36E751FE6378C708E8D9C8CAE068D7F48ADB5D8001950D2B6D1A138CB38CDF4BA8E09776902A1B475F3589F48F0E9152C10C63BE5C84E7F53A7785CB81FC27C870FE59E4E240E0CE87C1144B01B63C21F028EF964026565DC31C8872DDA882F2577DFE1486094DDD58C784CDEEB4396A71AFB74F59C8BC3631ECA039862D207D18F4EE08EA1ED8DA3204A24252FA44D5FF97C22A8D1372534FB9DB436834A796B848D2B79A2F621D352E5EC5F49EDB82486AD0AA506033F58222BE9E32B3D79AA20070074BE28F8306083C041A414A2753D8F136B66EC2898100599A7E72128E65B5C611E13280D6039D4DDEDA8549BB425E5F5321022985D5F9FF17C270A3878158A1AC2B7C1CE
3880
jelma.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3880
jelma.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3880
jelma.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jelma_RASAPI32
EnableFileTracing
0
3880
jelma.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jelma_RASAPI32
EnableConsoleTracing
0
3880
jelma.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jelma_RASAPI32
FileTracingMask
4294901760
3880
jelma.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jelma_RASAPI32
ConsoleTracingMask
4294901760
3880
jelma.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jelma_RASAPI32
MaxFileSize
1048576
3880
jelma.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jelma_RASAPI32
FileDirectory
%windir%\tracing
3880
jelma.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jelma_RASMANCS
EnableFileTracing
0
3880
jelma.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jelma_RASMANCS
EnableConsoleTracing
0
3880
jelma.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jelma_RASMANCS
FileTracingMask
4294901760
3880
jelma.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jelma_RASMANCS
ConsoleTracingMask
4294901760
3880
jelma.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jelma_RASMANCS
MaxFileSize
1048576
3880
jelma.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jelma_RASMANCS
FileDirectory
%windir%\tracing
3880
jelma.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3880
jelma.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3880
jelma.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US

Files activity

Executable files
0
Suspicious files
280
Text files
211
Unknown types
6

Dropped files

PID Process Filename Type
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.bristol-adelboden[2].txt ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.arbezie[2].txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.arbezie[1].txt ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.arbezie-hotel[2].txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.arbezie-hotel[1].txt ––
3880 jelma.exe C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 binary
3880 jelma.exe C:\Users\admin\AppData\Local\Temp\Tar2D55.tmp ––
3880 jelma.exe C:\Users\admin\AppData\Local\Temp\Cab2D54.tmp ––
3880 jelma.exe C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 compressed
3880 jelma.exe C:\Users\admin\AppData\Local\Temp\Tar2C97.tmp ––
3880 jelma.exe C:\Users\admin\AppData\Local\Temp\Cab2C96.tmp ––
3880 jelma.exe C:\Users\admin\AppData\Local\Temp\Tar2C57.tmp ––
3880 jelma.exe C:\Users\admin\AppData\Local\Temp\Cab2C46.tmp ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.morcote-residenza[1].txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@belvedere-locarno[1].txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.pizcam[1].txt text
3880 jelma.exe C:\Users\admin\AppData\Local\Temp\pidor.bmp image
3880 jelma.exe C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.redod ––
3880 jelma.exe C:\Users\Public\Videos\Sample Videos\Wildlife.wmv ––
3880 jelma.exe C:\Users\Public\Videos\Sample Videos\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv ––
3880 jelma.exe C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv.redod ––
3880 jelma.exe C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.redod binary
3880 jelma.exe C:\Users\Public\Recorded TV\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\Public\Recorded TV\Sample Media\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg ––
3880 jelma.exe C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.redod binary
3880 jelma.exe C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg ––
3880 jelma.exe C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.redod binary
3880 jelma.exe C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.redod binary
3880 jelma.exe C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg ––
3880 jelma.exe C:\Users\Public\Pictures\Sample Pictures\Koala.jpg ––
3880 jelma.exe C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.redod binary
3880 jelma.exe C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg ––
3880 jelma.exe C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.redod binary
3880 jelma.exe C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.redod binary
3880 jelma.exe C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg ––
3880 jelma.exe C:\Users\Public\Pictures\Sample Pictures\Desert.jpg ––
3880 jelma.exe C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.redod pi
3880 jelma.exe C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg ––
3880 jelma.exe C:\Users\Public\Pictures\Sample Pictures\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\Public\Music\Sample Music\Sleep Away.mp3.redod ––
3880 jelma.exe C:\Users\Public\Music\Sample Music\Sleep Away.mp3 ––
3880 jelma.exe C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.redod binary
3880 jelma.exe C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3 ––
3880 jelma.exe C:\Users\Public\Music\Sample Music\Kalimba.mp3 ––
3880 jelma.exe C:\Users\Public\Music\Sample Music\Kalimba.mp3.redod ––
3880 jelma.exe C:\Users\Public\Libraries\RecordedTV.library-ms.redod binary
3880 jelma.exe C:\Users\Public\Music\Sample Music\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\Public\Libraries\RecordedTV.library-ms ––
3880 jelma.exe C:\Users\Public\Downloads\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\Public\Favorites\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\Public\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\Public\Music\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\Public\Libraries\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\Public\Videos\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\Public\Documents\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\Public\Pictures\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\Saved Games\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\Pictures\updatespresent.jpg.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\SendTo\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms.redod binary
3880 jelma.exe C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms.redod binary
3880 jelma.exe C:\Users\admin\Searches\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms ––
3880 jelma.exe C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms ––
3880 jelma.exe C:\Users\admin\Pictures\mongood.jpg.redod binary
3880 jelma.exe C:\Users\admin\Pictures\thereforestudents.png.redod binary
3880 jelma.exe C:\Users\admin\Pictures\updatespresent.jpg ––
3880 jelma.exe C:\Users\admin\Pictures\thereforestudents.png ––
3880 jelma.exe C:\Users\admin\Pictures\ensurecalendar.jpg.redod binary
3880 jelma.exe C:\Users\admin\Pictures\mongood.jpg ––
3880 jelma.exe C:\Users\admin\Pictures\ensurecalendar.jpg ––
3880 jelma.exe C:\Users\admin\Pictures\createdarticle.jpg.redod binary
3880 jelma.exe C:\Users\admin\Pictures\cyes.png.redod binary
3880 jelma.exe C:\Users\admin\Pictures\cyes.png ––
3880 jelma.exe C:\Users\admin\Pictures\createdarticle.jpg ––
3880 jelma.exe C:\Users\admin\ntuser.ini.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url.redod binary
3880 jelma.exe C:\Users\admin\Links\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\ntuser.ini ––
3880 jelma.exe C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url ––
3880 jelma.exe C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url.redod binary
3880 jelma.exe C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url ––
3880 jelma.exe C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url.redod binary
3880 jelma.exe C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url ––
3880 jelma.exe C:\Users\admin\Favorites\Windows Live\Get Windows Live.url.redod binary
3880 jelma.exe C:\Users\admin\Favorites\Windows Live\Get Windows Live.url ––
3880 jelma.exe C:\Users\admin\Favorites\Windows Live\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\Favorites\MSN Websites\MSNBC News.url.redod binary
3880 jelma.exe C:\Users\admin\Favorites\MSN Websites\MSNBC News.url ––
3880 jelma.exe C:\Users\admin\Favorites\MSN Websites\MSN Money.url.redod binary
3880 jelma.exe C:\Users\admin\Favorites\MSN Websites\MSN.url.redod binary
3880 jelma.exe C:\Users\admin\Favorites\MSN Websites\MSN Sports.url.redod binary
3880 jelma.exe C:\Users\admin\Favorites\MSN Websites\MSN.url ––
3880 jelma.exe C:\Users\admin\Favorites\MSN Websites\MSN Sports.url ––
3880 jelma.exe C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url.redod binary
3880 jelma.exe C:\Users\admin\Favorites\MSN Websites\MSN Autos.url.redod binary
3880 jelma.exe C:\Users\admin\Favorites\MSN Websites\MSN Money.url ––
3880 jelma.exe C:\Users\admin\Favorites\MSN Websites\MSN Autos.url ––
3880 jelma.exe C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url ––
3880 jelma.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url.redod binary
3880 jelma.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url.redod binary
3880 jelma.exe C:\Users\admin\Favorites\MSN Websites\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url ––
3880 jelma.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url ––
3880 jelma.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url.redod binary
3880 jelma.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url ––
3880 jelma.exe C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url.redod binary
3880 jelma.exe C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url.redod binary
3880 jelma.exe C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url ––
3880 jelma.exe C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url ––
3880 jelma.exe C:\Users\admin\Favorites\Links for United States\USA.gov.url.redod binary
3880 jelma.exe C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url.redod binary
3880 jelma.exe C:\Users\admin\Favorites\Microsoft Websites\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\Favorites\Links for United States\USA.gov.url ––
3880 jelma.exe C:\Users\admin\Favorites\Links\Web Slice Gallery.url.redod binary
3880 jelma.exe C:\Users\admin\Favorites\Links\Suggested Sites.url.redod binary
3880 jelma.exe C:\Users\admin\Favorites\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\Favorites\Links for United States\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\Favorites\Links\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\Downloads\starsagain.png.redod binary
3880 jelma.exe C:\Users\admin\Favorites\Links\Web Slice Gallery.url ––
3880 jelma.exe C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url ––
3880 jelma.exe C:\Users\admin\Favorites\Links\Suggested Sites.url ––
3880 jelma.exe C:\Users\admin\Downloads\starsagain.png ––
3880 jelma.exe C:\Users\admin\Downloads\britishread.png.redod binary
3880 jelma.exe C:\Users\admin\Downloads\computerfacilities.jpg.redod binary
3880 jelma.exe C:\Users\admin\Downloads\mmbook.png.redod binary
3880 jelma.exe C:\Users\admin\Downloads\relatedcurrently.jpg.redod binary
3880 jelma.exe C:\Users\admin\Downloads\passbasket.png.redod binary
3880 jelma.exe C:\Users\admin\Downloads\relatedcurrently.jpg ––
3880 jelma.exe C:\Users\admin\Downloads\passbasket.png ––
3880 jelma.exe C:\Users\admin\Downloads\mmbook.png ––
3880 jelma.exe C:\Users\admin\Downloads\britishread.png ––
3880 jelma.exe C:\Users\admin\Downloads\computerfacilities.jpg ––
3880 jelma.exe C:\Users\admin\Documents\Outlook Files\Outlook.pst.redod binary
3880 jelma.exe C:\Users\admin\Documents\visionstate.rtf.redod binary
3880 jelma.exe C:\Users\admin\Downloads\bibleagreement.jpg.redod binary
3880 jelma.exe C:\Users\admin\Downloads\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\Documents\sciencesnature.rtf.redod binary
3880 jelma.exe C:\Users\admin\Documents\visionstate.rtf ––
3880 jelma.exe C:\Users\admin\Documents\sciencesnature.rtf ––
3880 jelma.exe C:\Users\admin\Documents\Outlook Files\Outlook.pst ––
3880 jelma.exe C:\Users\admin\Downloads\bibleagreement.jpg ––
3880 jelma.exe C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst.redod binary
3880 jelma.exe C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst.redod binary
3880 jelma.exe C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst ––
3880 jelma.exe C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst ––
3880 jelma.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one.redod binary
3880 jelma.exe C:\Users\admin\Documents\Outlook Files\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2.redod binary
3880 jelma.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one.redod binary
3880 jelma.exe C:\Users\admin\Documents\Outlook Files\honey@pot.com.pst.redod binary
3880 jelma.exe C:\Users\admin\Documents\Outlook Files\honey@pot.com.pst ––
3880 jelma.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2 ––
3880 jelma.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one ––
3880 jelma.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one ––
3880 jelma.exe C:\Users\admin\Documents\marvisual.rtf.redod binary
3880 jelma.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\Desktop\yetbook.jpg.redod binary
3880 jelma.exe C:\Users\admin\Music\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\Pictures\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\Videos\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\Documents\OneNote Notebooks\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\Documents\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\Documents\marvisual.rtf ––
3880 jelma.exe C:\Users\admin\Desktop\teststone.png.redod binary
3880 jelma.exe C:\Users\admin\Desktop\usefulinternational.jpg.redod binary
3880 jelma.exe C:\Users\admin\Desktop\yetbook.jpg ––
3880 jelma.exe C:\Users\admin\Desktop\teststone.png ––
3880 jelma.exe C:\Users\admin\Desktop\usefulinternational.jpg ––
3880 jelma.exe C:\Users\admin\Desktop\randomissues.rtf.redod binary
3880 jelma.exe C:\Users\admin\Desktop\studyat.rtf.redod binary
3880 jelma.exe C:\Users\admin\Desktop\randomissues.rtf ––
3880 jelma.exe C:\Users\admin\Desktop\studyat.rtf ––
3880 jelma.exe C:\Users\admin\Desktop\introductionblood.jpg.redod binary
3880 jelma.exe C:\Users\admin\Desktop\priceindian.rtf.redod binary
3880 jelma.exe C:\Users\admin\Desktop\maccessories.rtf.redod binary
3880 jelma.exe C:\Users\admin\Desktop\introductionblood.jpg ––
3880 jelma.exe C:\Users\admin\Desktop\priceindian.rtf ––
3880 jelma.exe C:\Users\admin\Desktop\maccessories.rtf ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\Desktop\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\Desktop\chicagonetworking.rtf.redod binary
3880 jelma.exe C:\Users\admin\Desktop\becomemaybe.jpg.redod binary
3880 jelma.exe C:\Users\admin\Contacts\admin.contact.redod binary
3880 jelma.exe C:\Users\admin\Desktop\chicagonetworking.rtf ––
3880 jelma.exe C:\Users\admin\Desktop\becomemaybe.jpg ––
3880 jelma.exe C:\Users\admin\Contacts\admin.contact ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\WinRAR\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\WinRAR\version.dat.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Sun\Java\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\Contacts\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Sun\Java\Deployment\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Sun\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\WinRAR\version.dat ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ecs.conf.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\queue.db.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\skypert.conf.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ul.conf.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\skypert.conf ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ul.conf ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\queue.db ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ecs.conf ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db-journal.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db-journal ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Skype\logs\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Skype\shared.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Skype\DataRv\offline-storage.data.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Skype\shared.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Skype\DataRv\offline-storage.data ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\vlink4.dat.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Skype\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\users.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\wand.dat.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Skype\DataRv\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\users.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\wand.dat ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\vlink4.dat ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\tips.ini.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\tips.ini ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\toc.css.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\tablelayout.css.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\toc.css ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structuretables.css.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\tablelayout.css ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structuretables.css ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureinline.css.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureinline.css ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureblock.css.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureblock.css ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\outline.css.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disabletables.css.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\outline.css ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disabletables.css ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablepositioning.css.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablepositioning.css ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disableforms.css.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablefloats.css.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablefloats.css ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disableforms.css ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablebreaks.css.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablebreaks.css ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastwb.css.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastwb.css ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastbw.css.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastbw.css ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\classid.css.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\classid.css ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\altdebugger.css.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\altdebugger.css ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\accessibility.css.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\accessibility.css ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\speeddial.ini.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\speeddial.ini ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.bak.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.bak ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\optrust.dat.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opuntrust.dat.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opuntrust.dat ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\optrust.dat ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opthumb.dat.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opthumb.dat ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\oprand.dat.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\oprand.dat ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opicacrt6.dat.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opicacrt6.dat ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini.redod fli
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\handlers.ini.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\handlers.ini ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\global_history.dat.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\global_history.dat ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\download.dat.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\download.dat ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\cookies4.dat.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\cookies4.dat ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\bookmarks.adr.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\bookmarks.adr ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Zenburn.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\Opera\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Opera\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Zenburn.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\vim Dark Blue.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\vim Dark Blue.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Vibrant Ink.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Vibrant Ink.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Twilight.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Twilight.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized-light.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized-light.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Plastic Code Wrap.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Ruby Blue.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Ruby Blue.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Plastic Code Wrap.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Obsidian.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Obsidian.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Navajo.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Navajo.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\MossyLawn.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\MossyLawn.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Monokai.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Monokai.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Mono Industrial.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Mono Industrial.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\khaki.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\khaki.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\HotFudgeSundae.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\HotFudgeSundae.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Hello Kitty.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Hello Kitty.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Deep Black.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Deep Black.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Choco.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Choco.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Black board.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Black board.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Bespin.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Bespin.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\functionList.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\plugins\config\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\plugins\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\functionList.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\contextMenu.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\contextMenu.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\SystemExtensionsDev\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Notepad++\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\profiles.ini.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\profiles.ini ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\xulstore.json.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\webappsstore.sqlite.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\xulstore.json ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\webappsstore.sqlite ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\toFetch\tabs.json.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\toFetch\tabs.json ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\failed\tabs.json.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\toFetch\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\failed\tabs.json ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\failed\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\times.json.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\times.json ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage.sqlite.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage.sqlite ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\727688008bsleotcakcliifsittsr%.sqlite.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\temporary\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\727688008bsleotcakcliifsittsr%.sqlite ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\727688008bsleotcakcliifsittsr%.files\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3899588440psinninpiFn2g%.sqlite.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3899588440psinninpiFn2g%.sqlite ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3899588440psinninpiFn2g%.files\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3345959086bslnoocdkdlaiFs2t%s.sqlite.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.files\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3345959086bslnoocdkdlaiFs2t%s.sqlite ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3345959086bslnoocdkdlaiFs2t%s.files\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite.redod mp3
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1725441852bxlfogcFk2l%isst.sqlite.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.files\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1725441852bxlfogcFk2l%isst.sqlite ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1725441852bxlfogcFk2l%isst.files\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1059394878bslnoicgkullipsFt2s%.sqlite.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1059394878bslnoicgkullipsFt2s%.sqlite ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.bristol-adelboden[1].txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata-v2.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1059394878bslnoicgkullipsFt2s%.files\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata-v2 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.sqlite.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.sqlite ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\journals\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\1 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\1.redod ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\.metadata-v2.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\.metadata-v2 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.sqlite.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\.metadata.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\.metadata ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.sqlite ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.files\journals\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.files\1.redod ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.files\1 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.files\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\.metadata-v2.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore.jsonlz4.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\.metadata.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\SiteSecurityServiceState.txt.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\SiteSecurityServiceState.txt ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\.metadata-v2 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\.metadata ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore.jsonlz4 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore-backups\previous.jsonlz4.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\saved-telemetry-pings\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\revocations.txt.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore-backups\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore-backups\previous.jsonlz4 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pluginreg.dat.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\revocations.txt ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pluginreg.dat ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\places.sqlite ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\places.sqlite.redod ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pkcs11.txt.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\permissions.sqlite.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pkcs11.txt ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\permissions.sqlite ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\logins.json.redod flc
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\key4.db.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\minidumps\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\logins.json ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\key4.db ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\widevinecdm.dll.lib.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\widevinecdm.dll.sig.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\handlers.json.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\handlers.json ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\widevinecdm.dll.sig ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\widevinecdm.dll.lib ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\manifest.json.redod ini
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\LICENSE.txt.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\manifest.json ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\LICENSE.txt ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp\WINNT_x86-msvc\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-gmpopenh264\1.7.1\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-gmpopenh264\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-gmpopenh264\1.7.1\gmpopenh264.info.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\formhistory.sqlite.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-gmpopenh264\1.7.1\gmpopenh264.info ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\formhistory.sqlite ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\favicons.sqlite ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\favicons.sqlite.redod ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\state.json.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\extensions.json.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\state.json ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\extensions.json ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536510890757.0bd2c0b0-6051-4678-a27c-37f3c0a0c3bf.main.jsonlz4.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\session-state.json.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536511076670.6fb1a61f-96c8-4004-a260-a8d32e45a07f.main.jsonlz4.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536510464398.048632c6-c96b-486d-b119-7e1a7a9c9e9a.main.jsonlz4.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\session-state.json ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536511076670.6fb1a61f-96c8-4004-a260-a8d32e45a07f.main.jsonlz4 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536510890757.0bd2c0b0-6051-4678-a27c-37f3c0a0c3bf.main.jsonlz4 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536510464398.048632c6-c96b-486d-b119-7e1a7a9c9e9a.main.jsonlz4 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535455254239.6a6d1f6c-b378-42bd-83d4-6375a8d83c94.main.jsonlz4.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589777.8901d324-d310-406e-8d96-2ba1529e4bea.first-shutdown.jsonlz4.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535455254239.6a6d1f6c-b378-42bd-83d4-6375a8d83c94.main.jsonlz4 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589777.8901d324-d310-406e-8d96-2ba1529e4bea.first-shutdown.jsonlz4 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589776.07f73e80-2b12-40ae-97b0-fa87f3167670.main.jsonlz4.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589776.07f73e80-2b12-40ae-97b0-fa87f3167670.main.jsonlz4 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589752.05c13197-8f39-40a1-b976-59f6f9c1cc5f.new-profile.jsonlz4.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454581431.ff499cec-8d4b-47de-a059-a9aea3d69a66.main.jsonlz4.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589752.05c13197-8f39-40a1-b976-59f6f9c1cc5f.new-profile.jsonlz4 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454581431.ff499cec-8d4b-47de-a059-a9aea3d69a66.main.jsonlz4 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\crashes\store.json.mozlz4.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\crashes\store.json.mozlz4 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\crashes\events\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\crashes\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\content-prefs.sqlite.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\containers.json.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\containers.json ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\content-prefs.sqlite ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\compatibility.ini.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\compatibility.ini ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\bookmarkbackups\bookmarks-2018-08-28_14_uZyx1cMFmZ7ZpL4NneCk2A==.jsonlz4.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\bookmarkbackups\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklists\plugins.json.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklists\plugins.json ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\bookmarkbackups\bookmarks-2018-08-28_14_uZyx1cMFmZ7ZpL4NneCk2A==.jsonlz4 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklists\addons.json.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklists\addons.json ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklist.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklists\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\addonStartup.json.lz4.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\addonStartup.json.lz4 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklist.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Pending Pings\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Extensions\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\addons.json.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20180807170231.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\addons.json ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20180807170231 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Templates\Normal.dotm.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Word\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Templates\NormalEmail.dotm.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Vault\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Word\STARTUP\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\UProof\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Mozilla\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Templates\NormalEmail.dotm ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Templates\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Templates\LiveContent\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Access Parts\1033\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\ECCD4BA46722CB4F92060701865DDF09D8AF68B4.redod fli
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Access Parts\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\ECCD4BA46722CB4F92060701865DDF09D8AF68B4 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Templates\Normal.dotm ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E02357FC7708441D4B0BE5F371F4B28961870F70.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Stationery\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\slimcore-0-4223384469.blog.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Speech\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E02357FC7708441D4B0BE5F371F4B28961870F70 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\shared.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\slimcore-0-4223384469.blog ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\shared.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\main.db.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\main.db-journal.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\config.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\main.db ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\config.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\main.db-journal ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data-wal.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data-wal ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data-shm.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\settings.json.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data-shm ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\settings.json ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Preferences.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\QuotaManager.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype_MediaStackETW-2018.34.1.3-UVA-x86release-U.etl.bak.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Preferences ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype_MediaStackETW-2018.34.1.3-UVA-x86release-U.etl.bak ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\QuotaManager ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype_MediaStackETW-2018.34.1.3-UVA-x86release-U.etl.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype.msrtc-0-2576771366.blog.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype.msrtc-1-1870167131.blog.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype.msrtc-1-1870167131.blog ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype.msrtc-0-2576771366.blog ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype_MediaStackETW-2018.34.1.3-UVA-x86release-U.etl ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.old.redod mp3
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\MANIFEST-000001.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\logs\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.old ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\MANIFEST-000001 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000017.log.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\CURRENT.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000018.ldb.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000005.ldb.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\CURRENT ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000018.ldb ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000017.log ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG.old.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\MANIFEST-000001.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000005.ldb ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\MANIFEST-000001 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG.old ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\CURRENT.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\000003.log.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\CURRENT ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\000003.log ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\dictionaries\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\dictionaries\en-US.bdic.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\ecscache.json.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\dictionaries\en-US.bdic ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\ecscache.json ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cookies.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\device-info.json.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\databases\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\databases\Databases.db.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cookies ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\device-info.json ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\databases\Databases.db ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000003.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000004.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\index.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\index ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000003 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000004 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000002.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000001.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000001 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000002 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_3.redod ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_3 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_2.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_1.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_2 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_1 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_0.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Publisher Building Blocks\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Signatures\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_0 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\54ba308a-6a9a-4e0e-b137-b89d3579498b.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\Preferred.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\29fd2168-360f-422a-a685-e6961ea74ba8.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Publisher\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\Preferred ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\54ba308a-6a9a-4e0e-b137-b89d3579498b ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\29fd2168-360f-422a-a685-e6961ea74ba8 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\CREDHIST.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\CREDHIST ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Outlook\test.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Outlook\Outlook.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Outlook\Outlook.srs.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Outlook\NoMail.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Proof\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Outlook\test.srs.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\PowerPoint\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Outlook\test.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Outlook\test.srs ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Outlook\Outlook.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Outlook\Outlook.srs ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Office\MSO1033.acl.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\OneNote\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\OneNote\14.0\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\OneNote\14.0\Preferences.dat.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Outlook\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Outlook\NoMail.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\OneNote\14.0\Preferences.dat ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Office\MSO1033.acl ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\MMC\taskschd.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Office\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Network\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Network\Connections\Pbk\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Network\Connections\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\MMC\taskschd ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\HTML Help\hh.dat.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\MMC\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\HTML Help\hh.dat ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\HTML Help\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Excel\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Excel\XLSTART\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\e3f86d7936454598ef98443d4fd3260d_90059c37-1320-41a4-b58d-2b75a9850d2f.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\c43c9d3341c1ddc712bbe39db3c78fa5_90059c37-1320-41a4-b58d-2b75a9850d2f.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\e3f86d7936454598ef98443d4fd3260d_90059c37-1320-41a4-b58d-2b75a9850d2f ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\c43c9d3341c1ddc712bbe39db3c78fa5_90059c37-1320-41a4-b58d-2b75a9850d2f ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\a551dda6b1d5ee0d0c4637af6c004413_90059c37-1320-41a4-b58d-2b75a9850d2f.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\7be1242ebc44e45985bd1ffa382e997c_90059c37-1320-41a4-b58d-2b75a9850d2f.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\a551dda6b1d5ee0d0c4637af6c004413_90059c37-1320-41a4-b58d-2b75a9850d2f ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\7be1242ebc44e45985bd1ffa382e997c_90059c37-1320-41a4-b58d-2b75a9850d2f ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\1f91d2d17ea675d4c2c3192e241743f9_90059c37-1320-41a4-b58d-2b75a9850d2f.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\1f91d2d17ea675d4c2c3192e241743f9_90059c37-1320-41a4-b58d-2b75a9850d2f ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Credentials\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\AddIns\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Microsoft\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\FileZilla\queue.sqlite3.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Media Center Programs\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\FileZilla\layout.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Identities\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Identities\{E4CE17A7-FC47-4CD1-8FF6-45436C8F45DB}\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\FileZilla\queue.sqlite3 ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\FileZilla\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\FileZilla\filezilla.xml.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Sonar\Sonar1.0\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\FileZilla\filezilla.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\FileZilla\layout.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_HeadlightsOptinProductFamily_HeadlightsOptinProduct_00000000-0000-0000-0000-000000000000_dc2ece58-8a8b-40bf-98c2-48039a3392bd.log.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Sonar\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_ARM2Update_2274f67c-7a7f-45e3-a23e-aa35d5b91e00_fea03e67-af51-4fcb-b57f-c238867edb9b_0.log.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_2274f67c-7a7f-45e3-a23e-aa35d5b91e00_02f147fa-0489-4885-b993-ed9936fcacc0_0.rdy.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_HeadlightsOptinProductFamily_HeadlightsOptinProduct_00000000-0000-0000-0000-000000000000_dc2ece58-8a8b-40bf-98c2-48039a3392bd.log ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_2274f67c-7a7f-45e3-a23e-aa35d5b91e00_02f147fa-0489-4885-b993-ed9936fcacc0_0.rdy ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Flash Player\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Flash Player\AssetCache\J7D4H966\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Flash Player\NativeCache\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Linguistics\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Flash Player\AssetCache\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Headlights\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_ARM2Update_2274f67c-7a7f-45e3-a23e-aa35d5b91e00_fea03e67-af51-4fcb-b57f-c238867edb9b_0.log ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings ––
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Forms\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Collab\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp.redod binary
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData ––
3880 jelma.exe C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp ––
3880 jelma.exe C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\.oracle_jre_usage\REDOD-DECRYPT.txt text
3880 jelma.exe C:\Users\admin\REDOD-DECRYPT.txt text

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
33
TCP/UDP connections
60
DNS requests
27
Threats
12

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3880 jelma.exe GET –– 78.46.77.98:80 http://www.2mmotorsport.biz/ DE
––
––
unknown
3880 jelma.exe GET 200 217.26.53.161:80 http://www.haargenau.biz/ CH
html
malicious
3880 jelma.exe POST –– 217.26.53.161:80 http://www.haargenau.biz/static/assets/sesekeda.png CH
text
––
––
malicious
3880 jelma.exe GET 200 74.220.215.73:80 http://www.bizziniinfissi.com/ US
html
malicious
3880 jelma.exe POST 404 74.220.215.73:80 http://www.bizziniinfissi.com/data/graphic/soeszumoth.png US
text
html
malicious
3880 jelma.exe GET 200 136.243.13.215:80 http://www.holzbock.biz/ DE
html
malicious
3880 jelma.exe POST 510 136.243.13.215:80 http://www.holzbock.biz/content/assets/keamka.bmp DE
text
html
malicious
3880 jelma.exe GET 301 109.234.38.95:80 http://www.fliptray.biz/ RU
html
suspicious
3880 jelma.exe GET 302 192.185.159.253:80 http://www.pizcam.com/ US
––
––
unknown
3880 jelma.exe GET 301 83.138.82.107:80 http://www.swisswellness.com/ DE
––
––
unknown
3880 jelma.exe GET –– 212.59.186.61:80 http://www.hotelweisshorn.com/ CH
––
––
malicious
3880 jelma.exe POST 404 212.59.186.61:80 http://www.hotelweisshorn.com/news/pics/imdeamesdezu.jpg CH
text
html
malicious
3880 jelma.exe GET 301 83.166.138.7:80 http://www.whitepod.com/ CH
––
––
malicious
3880 jelma.exe GET 301 69.16.175.10:80 http://www.hardrockhoteldavos.com/ US
html
malicious
3880 jelma.exe GET 301 104.24.23.22:80 http://www.belvedere-locarno.com/ US
––
––
unknown
3880 jelma.exe GET 301 80.244.187.247:80 http://www.hotelfarinet.com/ GB
––
––
unknown
3880 jelma.exe GET –– 217.26.53.37:80 http://www.hrk-ramoz.com/ CH
––
––
malicious
3880 jelma.exe POST 404 217.26.53.37:80 http://www.hrk-ramoz.com/content/pictures/ruso.jpg CH
text
xml
malicious
3880 jelma.exe GET 301 212.59.186.61:80 http://www.morcote-residenza.com/ CH
––
––
malicious
3880 jelma.exe GET 301 136.243.162.140:80 http://www.seitensprungzimmer24.com/ DE
html
unknown
3880 jelma.exe GET 200 93.184.221.240:80 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab US
compressed
whitelisted
3880 jelma.exe GET 200 93.184.221.240:80 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DF3C24F9BFD666761B268073FE06D1CC8D4F82A4.crt US
der
whitelisted
3880 jelma.exe GET 302 213.186.33.5:80 http://www.arbezie-hotel.com/ FR
html
malicious
3880 jelma.exe GET 404 213.186.33.50:80 http://www.arbezie.com/uploads/images/fusozu.jpg FR
html
unknown
3880 jelma.exe GET –– 217.26.55.5:80 http://www.aubergemontblanc.com/ CH
––
––
malicious
3880 jelma.exe POST –– 217.26.55.5:80 http://www.aubergemontblanc.com/includes/imgs/rumefuim.jpg CH
text
––
––
malicious
3880 jelma.exe GET 200 93.88.241.198:80 http://www.torhotel.com/ CH
html
malicious
3880 jelma.exe POST 404 93.88.241.198:80 http://www.torhotel.com/includes/tmp/hesoseke.gif CH
text
html
malicious
3880 jelma.exe GET 301 83.137.114.198:80 http://www.alpenlodge.com/ AT
––
––
unknown
3880 jelma.exe GET 301 79.170.40.230:80 http://www.aparthotelzurich.com/ GB
html
malicious
3880 jelma.exe GET 301 199.34.228.70:80 http://www.bnbdelacolline.com/ US
html
malicious
3880 jelma.exe GET 301 80.74.144.93:80 http://www.elite-hotel.com/ CH
html
unknown
3880 jelma.exe GET 302 213.186.33.17:80 http://www.bristol-adelboden.com/ FR
html
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3880 jelma.exe 78.46.77.98:80 Hetzner Online GmbH DE unknown
3880 jelma.exe 78.46.77.98:443 Hetzner Online GmbH DE unknown
3880 jelma.exe 217.26.53.161:80 Hostpoint AG CH malicious
3880 jelma.exe 74.220.215.73:80 Unified Layer US malicious
3880 jelma.exe 136.243.13.215:80 Hetzner Online GmbH DE suspicious
3880 jelma.exe 109.234.38.95:80 Webzilla B.V. RU unknown
3880 jelma.exe 109.234.38.95:443 Webzilla B.V. RU unknown
3880 jelma.exe 192.185.159.253:80 CyrusOne LLC US unknown
3880 jelma.exe 192.185.159.253:443 CyrusOne LLC US unknown
3880 jelma.exe 83.138.82.107:80 hostNET Medien GmbH DE unknown
3880 jelma.exe 83.138.82.107:443 hostNET Medien GmbH DE unknown
3880 jelma.exe 212.59.186.61:80 green.ch AG CH malicious
3880 jelma.exe 83.166.138.7:80 Infomaniak Network SA CH malicious
3880 jelma.exe 83.166.138.7:443 Infomaniak Network SA CH malicious
3880 jelma.exe 69.16.175.10:80 Highwinds Network Group, Inc. US suspicious
3880 jelma.exe 69.16.175.10:443 Highwinds Network Group, Inc. US suspicious
3880 jelma.exe 104.24.23.22:80 Cloudflare Inc US unknown
3880 jelma.exe 104.24.23.22:443 Cloudflare Inc US unknown
3880 jelma.exe 80.244.187.247:80 UKfastnet Ltd GB unknown
3880 jelma.exe 80.244.187.247:443 UKfastnet Ltd GB unknown
3880 jelma.exe 217.26.53.37:80 Hostpoint AG CH suspicious
3880 jelma.exe 212.59.186.61:443 green.ch AG CH malicious
3880 jelma.exe 136.243.162.140:80 Hetzner Online GmbH DE unknown
3880 jelma.exe 136.243.162.140:443 Hetzner Online GmbH DE unknown
3880 jelma.exe 93.184.221.240:80 MCI Communications Services, Inc. d/b/a Verizon Business US whitelisted
3880 jelma.exe 213.186.33.5:80 OVH SAS FR malicious
3880 jelma.exe 213.186.33.5:443 OVH SAS FR malicious
3880 jelma.exe 213.186.33.50:80 OVH SAS FR unknown
3880 jelma.exe 217.26.55.5:80 Hostpoint AG CH suspicious
3880 jelma.exe 93.88.241.198:80 Infomaniak Network SA CH malicious
3880 jelma.exe 83.137.114.198:80 Nessus GmbH AT unknown
3880 jelma.exe 83.137.114.198:443 Nessus GmbH AT unknown
3880 jelma.exe 79.170.40.230:80 Host Europe GmbH GB suspicious
3880 jelma.exe 79.170.40.230:443 Host Europe GmbH GB suspicious
3880 jelma.exe 199.34.228.70:80 Weebly, Inc. US malicious
3880 jelma.exe 199.34.228.70:443 Weebly, Inc. US malicious
3880 jelma.exe 80.74.144.93:80 METANET AG CH unknown
3880 jelma.exe 80.74.144.93:443 METANET AG CH unknown
3880 jelma.exe 213.186.33.17:80 OVH SAS FR malicious
3880 jelma.exe 213.186.33.17:443 OVH SAS FR malicious

DNS requests

Domain IP Reputation
www.2mmotorsport.biz 78.46.77.98
unknown
www.haargenau.biz 217.26.53.161
malicious
www.bizziniinfissi.com 74.220.215.73
malicious
www.holzbock.biz 136.243.13.215
malicious
www.fliptray.biz 109.234.38.95
suspicious
www.pizcam.com 192.185.159.253
unknown
www.swisswellness.com 83.138.82.107
unknown
www.hotelweisshorn.com 212.59.186.61
malicious
www.whitepod.com 83.166.138.7
malicious
www.hardrockhoteldavos.com 69.16.175.10
69.16.175.42
malicious
www.belvedere-locarno.com 104.24.23.22
104.24.22.22
unknown
www.hotelfarinet.com 80.244.187.247
unknown
www.hrk-ramoz.com 217.26.53.37
malicious
www.morcote-residenza.com 212.59.186.61
malicious
www.seitensprungzimmer24.com 136.243.162.140
unknown
www.download.windowsupdate.com 93.184.221.240
whitelisted
seitensprungzimmer24.com 136.243.162.140
unknown
www.arbezie-hotel.com 213.186.33.5
malicious
www.arbezie.com 213.186.33.50
unknown
www.aubergemontblanc.com 217.26.55.5
malicious
www.torhotel.com 93.88.241.198
malicious
www.alpenlodge.com 83.137.114.198
unknown
www.aparthotelzurich.com 79.170.40.230
malicious
www.bnbdelacolline.com 199.34.228.70
malicious
www.elite-hotel.com 80.74.144.93
unknown
elite-hotel.com 80.74.144.93
unknown
www.bristol-adelboden.com 213.186.33.17
malicious

Threats

PID Process Class Message
3880 jelma.exe A Network Trojan was detected ET TROJAN [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity
3880 jelma.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
3880 jelma.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
3880 jelma.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
3880 jelma.exe A Network Trojan was detected ET POLICY Data POST to an image file (jpg)
3880 jelma.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
3880 jelma.exe A Network Trojan was detected ET POLICY Data POST to an image file (jpg)
3880 jelma.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
3880 jelma.exe A Network Trojan was detected ET POLICY Data POST to an image file (jpg)
3880 jelma.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity
3880 jelma.exe A Network Trojan was detected ET POLICY Data POST to an image file (gif)
3880 jelma.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity

Debug output strings

Process Message
jelma.exe Minidump failed!